Unknown and reference signatures are accessed. The unknown and reference signatures indicate patterns that correspond to known threats to resources (such as computer systems and/or computer networks) in a computer environment and comprise a multitude of descriptive elements having information describing different aspects of a corresponding signature. A set of similarity measures is created of the unknown and reference signatures from different perspectives, each perspective corresponding to a descriptive element. The set of similarity measures are integrated to generate an overall similarity metric. The overall similarity metric is used to find appropriate categories in the reference signatures into which the unknown signatures should be placed. The unknown signatures are placed into the appropriate categories to create a mapping from the unknown signatures to the reference signatures. The mapping is output for use by an IDPS for determining whether a threat has occurred to the resources in the computer environment.